1.37.0 (Pending)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

  • dynamic modules: Updated the dynamic module ABI to support streaming body manipulation and fixed incorrect behavior when accessing or modifying request or response bodies. See https://github.com/envoyproxy/envoy/issues/40918 for details.

  • http: Added runtime flag envoy.reloadable_features.reject_early_connect_data to reject CONNECT requests that send data before Envoy returns a 200 response. This non-compliant behavior is common for latency reduction, so the option is disabled by default.

  • http: Changed the default reset behavior when an upstream protocol error occurs. In the previous behavior, Envoy would propagate the upstream protocol error to the downstream client. In the new behavior, Envoy will ignore the upstream protocol error. This change can be reverted by setting the runtime guard envoy.reloadable_features.reset_ignore_upstream_reason to false.

  • http: Changed the default reset code from NO_ERROR to INTERNAL_ERROR. This change can be reverted by setting the runtime guard envoy.reloadable_features.reset_with_error to false.

  • proto_api_scrubber: Changed the response status code for blocked methods from 403 Forbidden (gRPC PERMISSION_DENIED) to 404 Not Found (gRPC NOT_FOUND) to prevent method enumeration.

  • server: Added container-aware CPU detection on Linux that respects cgroup CPU limits alongside hardware thread count and CPU affinity when --concurrency is not set. Envoy now uses the minimum of hardware threads, CPU affinity, and cgroup CPU limits to size worker threads by default, improving resource utilization in cgroup-limited containers. This behavior can be disabled by setting ENVOY_CGROUP_CPU_DETECTION to false to restore the previous hardware thread and affinity-based sizing. Uses conservative floor rounding to leave capacity for non-worker threads, which may reduce the total number of connections.

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • access_log: Fixed rejection of the truncation-length specifier for DYNAMIC_METADATA():Z in access log format strings. The length parameter now truncates strings and other value types; structured data types are not truncated.

  • ext_authz: Check response header count and size after applying mutations and send a local reply if limits are exceeded.

  • ext_authz: Fixed HTTP ext_authz service to propagate headers (such as set-cookie) back to clients. The filter now uses allowed_client_headers for denied responses and allowed_client_headers_on_success for successful responses.

  • ext_authz: Fixed the HTTP ext_authz client to respect user-configured retry_on in retry_policy. Previously, the value was overridden with 5xx,gateway-error,connect-failure,reset. Controlled by runtime flag envoy.reloadable_features.ext_authz_http_client_retries_respect_user_retry_on (defaults to true); set to false to preserve the old behavior.

  • ext_proc: Added immediate_responses_sent counter to the ext_proc filter stats in the http.<stat_prefix>.ext_proc. namespace.

  • ext_proc: Added server_half_closed counter to the ext_proc filter stats in the http.<stat_prefix>.ext_proc. namespace.

  • ext_proc: Close the gRPC stream when Envoy detects no further external processing is needed. This currently excludes BUFFERED and BUFFERED_PARTIAL modes and a few corner cases, which close the stream during filter destruction. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.ext_proc_stream_close_optimization to false.

  • ext_proc: Use a hard-coded set of error messages when a HeaderMutation fails. Removing request-specific details allows grouping by failure type. Detailed messages remain available in debug logs.

  • http: Retrying of async HTTP client calls now respects the set buffer limits and the retry will be ignored if the buffer limit is exceeded. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.http_async_client_retry_respect_buffer_limits to false.

  • http: The route level body buffer limit is now applied to requests when the route is matched. Previously, it was only applied when the router filter is reached.

  • mobile: Use mobile-specific network observer registries to propagate network change signals. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.mobile_use_network_observer_registry to false.

  • overload_manager: Fixed downstream connections monitor to trigger configured actions and emit a pressure metric like other resource monitors. Previously, actions never triggered.

  • quic: Switched to QUICHE-provided migration logic to handle port migration on path degradation and migration to the server preferred address. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.use_migration_in_quiche to false.

  • router: Added host_rewrite and path_rewrite to RouteAction to support substitution formatting for host and path header rewriting.

  • tap: Added sequence number per event in transport socket streamed trace.

  • tap: Changed the last sequence number from sentinel value to the previous sequence number plus one.

  • tls_inspector: Changed TLS inspector to extract SNI during the early select certificate callback. This ensures SNI is populated in access logs even for connections that fail during the subsequent TLS handshake processing.

  • tracing: The request header custom tag now only supports fetching values from HTTP request headers. Non-HTTP protocols must use the substitution formatter-based custom tag value. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.get_header_tag_from_header_map to false.

  • wasm: Execute foreign functions on the effective context, when set by Wasm SDKs. Previously, foreign functions called from HTTP or gRPC callbacks could receive a root context instead of a stream context. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.wasm_use_effective_ctx_for_foreign_functions to false.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • adaptive concurrency: Fixed a race condition in the gradient controller that allowed more outstanding requests than the concurrency limit, bounded by the number of worker threads.

  • aws: Changed web identity token file watching in AWS signing components to pick up rotated tokens.

  • bootstrap: Fixed a startup crash when custom header_prefix was set.

  • composite: Fixed per-route configuration for the composite filter to match on response headers and trailers. Previously, matchers using HttpResponseHeaderMatchInput or HttpResponseTrailerMatchInput silently failed, skipping the delegated filter.

  • connection: Fixed connection handling to propagate transport failure reasons to StreamInfo before close events, ensuring connection.transport_failure_reason and DOWNSTREAM_TRANSPORT_FAILURE_REASON are populated for all connection types.

  • connection pool: Fixed a crash in the TCP connection pool during downstream teardown when large requests or responses triggered flow control.

  • dns_resolver: Removed unnecessary getifaddrs() system calls when filter_unroutable_families is disabled.

  • dynamic modules: Fixed a soundness bug in the Rust SDK by tightening bounds on the HttpFilterConfig trait.

  • ext_authz: Fixed the gRPC ext_authz client to respect status_on_error configuration when gRPC calls fail. Previously, gRPC call failures always returned 403 Forbidden regardless of the configured error status.

  • ext_proc: Fixed missing attributes based on request headers (for example, request.host) when ext_proc was configured to run only on the encode path.

  • http: Fixed shouldDrainConnectionUponCompletion() to send GOAWAY frames for HTTP/2 and HTTP/3 instead of aggressively closing connections, preventing interrupted response bodies and ERR_DRAINING client errors. HTTP/1.1 behavior is unchanged.

  • http: Fixed a remote jwt_auth token fetch crash when two or more auth headers were present and allow_missing_or_failed was set.

  • http2: Fixed a memory leak when an HTTP/2 stream was reset before request headers were sent (for example, if an upstream HTTP filter sent a local reply after the connection was established but before headers were sent).

  • http2: Optimized HTTP/2 header processing by avoiding allocations and string copies for well-known header names. Common headers (:method, :path, :status, content-type, user-agent, etc.) now reference static strings, reducing allocations and improving performance.

  • http_11_proxy: Fixed http_11_proxy transport socket buffering of bytes written after the initial HTTP CONNECT request was sent but before the response was received, which could buffer until connection timeout.

  • lua: Fixed a crash when Lua filters set the response body to a payload larger than the body buffer limit.

  • oauth2: Fixed a bug in the OAuth2 filter that caused multiple concurrent login flows to interfere with each other. This could lead to incorrect behavior when multiple requests initiated seperate OAuth2 logins at the same time.

  • proto_api_scrubber: Fixed a crash in the Proto API Scrubber filter when internal buffer conversion fails. The filter now gracefully rejects the traffic with a local reply and error detail proto_api_scrubber_FAILED_PRECONDITION instead of terminating the process.

  • router: Fixed a bug where the vhost per request buffer limit bytes will take precedence over the route per request buffer limit bytes.

  • router: Fixed a regression where router-set headers (for example, x-envoy-expected-rq-timeout-ms, x-envoy-attempt-count) were not accessible in request_headers_to_add on the initial request. These headers can now be referenced via formatters such as %REQ(x-envoy-expected-rq-timeout-ms)%.

  • router: Fixed an upstream HTTP filter issue when a route retried on 5xx and the filter returned FilterHeadersStatus::StopIteration in encodeHeaders().

  • sds: Fixed SDS to enable auto-recovery when initial certificate file loading fails. Previously, if certificate files did not exist during initial SDS configuration, no file watch callbacks were set up, preventing automatic recovery when files appeared later.

  • tap: Added missing conversion support to ensure tapped messages are handled correctly for multi-event submissions.

  • tcp_proxy: Fixed a connection leak in TCP proxy when receive_before_connect is enabled and the downstream connection closes before the upstream connection is established.

  • tls: Fixed truncation of OTHERNAME SANs with embedded null octets in TLS certificates, which caused incorrect SAN validation.

  • udp_proxy: Fixed cases where addresses could be moved from the data packet being processed.

  • upstream: Fixed transport socket matcher to correctly use downstream connection filter state for matching and optimized the selection path to avoid per-connection resolution overhead when filter state input is not used.

Removed config or runtime

Normally occurs at the end of the deprecation period

  • http: Removed runtime guard envoy.reloadable_features.http1_balsa_allow_cr_or_lf_at_request_start and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.http1_balsa_delay_reset and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.http1_balsa_disallow_lone_cr_in_chunk_extension and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.http2_propagate_reset_events and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.original_src_fix_port_exhaustion and legacy code paths.

  • jwt_authn: Removed runtime guard envoy.reloadable_features.jwt_fetcher_use_scheme_from_uri and legacy code paths.

  • quic: Removed runtime guard envoy.reloadable_features.http3_remove_empty_cookie and legacy code paths.

  • router: Removed runtime guard envoy.reloadable_features.reject_early_connect_data. This is now controlled by the router filter config option reject_connect_request_early_data.

  • router: Removed runtime guard envoy.reloadable_features.router_filter_resetall_on_local_reply and legacy code paths.

  • tcp: Removed runtime guard envoy.reloadable_features.tcp_proxy_retry_on_different_event_loop and legacy code paths.

  • xds: Removed runtime guard envoy.reloadable_features.report_load_with_rq_issued and legacy code paths.

  • xds: Removed runtime guard envoy.restart_features.skip_backing_cluster_check_for_sds and legacy code paths.

  • xds: Removed runtime guard envoy_restart_features_use_eds_cache_for_ads and legacy code paths.

New features

  • access_log: Added COALESCE substitution formatter operator that evaluates multiple formatter operators in sequence and returns the first non-null result. This enables fallback behavior such as using SNI when available but falling back to the :authority header when SNI is not set.

  • access_log: Added LISTENER_FILTER_CHAIN to the METADATA command operator to allow access to listener filter chain metadata.

  • access_log: Added a new access logger that emits configurable metrics.

  • access_log: Added process-level rate limiting on access log emission via ProcessRateLimitFilter.

  • access_log: Added support for the REQUESTED_SERVER_NAME access log formatter to return SNI and host with parameters.

  • access_log: Adds %DOWNSTREAM_LOCAL_ADDRESS_ENDPOINT_ID%, %DOWNSTREAM_DIRECT_LOCAL_ADDRESS_ENDPOINT_ID%, and %UPSTREAM_REMOTE_ADDRESS_ENDPOINT_ID% access_log command operators to access the endpoint ID used to establish a connection to an internal listener.

  • admin: Added allow_paths to admin interface to restrict access to specific admin endpoints. When configured, only paths matching the specified string matchers will be accessible. All other paths will return 403 Forbidden.

  • admin: Added /memory/tcmalloc admin endpoint providing TCMalloc memory statistics.

  • attributes: added attributes for looking up request or response headers bytes.

  • aws: Added match_included_headers to the request signing extension to allow positive header matching while excluding other non-SigV4-required headers.

  • c-ares: Added optional reinit_channel_on_timeout to the c-ares resolver to reinitialize the channel after DNS timeouts.

  • cel: Added per-expression configuration options for the CEL evaluator to control string conversion, concatenation, and string extension functions. CEL expressions in RBAC policies and access log filters can enable functions such as replace() and split() through new cel_config and cel_config fields. See CelExpressionConfig for details.

  • cluster: Added composite cluster extension that enables retry-aware cluster selection. This cluster type allows retries to automatically fall back to different sub-clusters based on retry attempt count. Requests fail when retry attempts exceed the number of configured clusters.

  • composite filter: Added support for configuring a chain of filters in the composite filter’s ExecuteFilterAction via the filter_chain field.

  • composite filter: Added support for named filter chains in the Composite filter config via the named_filter_chains field. These pre-compiled filter chains can be referenced from match actions using the filter_chain_name field in ExecuteFilterAction. This improves scalability by allowing filter chains to be defined once and referenced across many match actions.

  • dns_filter: Added access_log for the DNS filter.

  • dynamic modules: Added UDP listener filter support for dynamic modules, enabling UDP datagram processing with dynamic modules.

  • dynamic modules: Added listener filter support for dynamic modules, enabling connection inspection and protocol detection before connection establishment.

  • dynamic modules: Added network filter support for dynamic modules, enabling TCP stream processing with dynamic modules.

  • dynamic modules: Added scheduler API for HTTP filter configuration in dynamic modules. The configuration scheduler allows modules to dispatch asynchronous operations to the main thread, enabling singleton/bootstrap patterns similar to WASM filters for initialization and background tasks.

  • dynamic modules: Added support for loading dynamic modules globally by setting load_globally to true.

  • dynamic modules: Added support for streamable HTTP callouts in dynamic modules. Modules can create streaming HTTP connections to upstream clusters using start_http_stream, send request data and trailers incrementally, and receive streaming response headers, data, and trailers through dedicated callbacks.

  • dynamic modules: Enhanced dynamic module ABIs to support header addition and body size retrieval. See the latest ABI header for details.

  • ext_authz: Added configuration field enforce_response_header_limits to the HTTP ext_authz filter to enable or disable dropping response headers once header count or size limits are reached.

  • ext_authz: Added support for error_response in the external authorization API. Authorization services can return custom HTTP status codes, headers, and response bodies on internal errors, reusing DeniedHttpResponse.

  • ext_authz: Added support for metadata_context_namespaces and typed_metadata_context_namespaces in the ext-authz network filter. This allows passing connection metadata (such as proxy protocol TLV data) to the external authorization server for making authorization decisions.

  • ext_proc: Added StreamedImmediateResponse for streaming local responses.

  • ext_proc: Added per HTTP event processing effects in the ExtProcLoggingInfo filter state. This new data tracks the processing effects (mutation applied, rejected, etc.) for headers, body, and trailers and can be accessed via the processingEffects method.

  • ext_proc: Added support for forwarding cluster metadata to ext_proc server.

  • ext_proc: The MappedAttributeBuilder ext_proc extension now supports re-mapping response attributes (in addition to request attributes).

  • filters: Migrated all extensions in the istio/proxy to the main Envoy repository’s contrib directory.

  • formatter: Added US_RX_BODY_BEG time point to %COMMON_DURATION% to indicate when upstream response body reception begins.

  • formatter: Added support for the following new access log formatters:

    1. %REQUEST_HEADER(X?Y):Z% as full name version of %REQ(X?Y):Z%.

    2. %RESPONSE_HEADER(X?Y):Z% as full name version of %RESP(X?Y):Z%.

    3. %RESPONSE_TRAILER(X?Y):Z% as full name version of %TRAILER(X?Y):Z%.

    This provides a more consistent naming scheme for users to understand and use.

  • generic_proxy: Added custom substitution format specifier support in tracing custom tags for the generic_proxy filter. The %REQUEST_PROPERTY% and %RESPONSE_PROPERTY% specifiers can now be used in value for generic proxy.

  • geoip: Added client_ip to the network geoip filter, enabling dynamic client IP extraction using format specifiers. This allows flexible extraction of client IP from filter state, dynamic metadata, or other sources for geolocation lookups.

  • geoip: Added custom_header_config to allow extracting the client IP address from a custom request header which can be used instead of x-forwarded-for header or downstream connection source address.

  • geoip: Added support for MaxMind Country database via country_db_path.

  • http: Added vhost_header to RouteConfiguration to allow using a different header for vhost matching.

  • http filter: Added transform http filter to modify request and response bodies in any position of the HTTP filter chain. This also makes it possible to refresh routes based on attributes in the request body.

  • http2: Added enable_huffman_encoding which controls whether to use huffman encoding when sending headers. This is useful in scenarios where the bandwidth saved from huffman encoding is not worth the CPU cost, e.g., for localhost, sidecar traffic.

  • http2: Added a parameter to sendGoAwayAndClose to support graceful closure of HTTP/2 connections.

  • json_to_metadata: Added support for per-route configuration override in the json_to_metadata http filter. Routes can now specify different JSON to metadata conversion rules via per-route configuration, allowing different routes to extract different metadata from request or response bodies.

  • listener: Added support for configuring TCP keepalive settings on both primary and additional addresses by setting tcp_keepalive and additional address tcp_keepalive. Setting any keepalive field to 0 disables TCP keepalive for that address (or for the listener and inherited additional addresses when only the listener keepalive is configured).

  • listener: Marked filter_chain_matcher as stable by removing the work-in-progress annotation. The xDS matcher API for filter chain selection has been thoroughly tested and is ready for production use.

  • listener_filters: Added Postgres Inspector listener filter for detecting PostgreSQL connections, extracting metadata, and supporting SNI-based routing for PostgreSQL traffic.

  • logging: Added support for the not-equal operator in access log filter rules via ComparisonFilter.

  • lua: Added drainConnectionUponCompletion() to the Lua filter stream info API, allowing Lua scripts to mark connections for draining (adds Connection: close for HTTP/1.1 or sends GOAWAY for HTTP/2 and HTTP/3).

  • lua: Added an executions counter to the Lua filter to track script execution count.

  • matcher: Removed work-in-progress annotations from RBAC filter matcher and shadow_matcher fields in HTTP and network filters, marking the feature stable.

  • mcp: Added MCP filter for parsing Model Context Protocol (MCP) JSON-RPC requests. The filter extracts the method and id fields from incoming requests and stores them in dynamic metadata for use by downstream filters and access logging. Notifications (methods starting with notifications/) are correctly handled as they don’t have an id field per the JSON-RPC specification.

  • mcp: Added mcp_router HTTP filter which routes MCP (Model Context Protocol) requests to more backend servers. The filter supports fanout to multiple backends for initialize and tools-list requests, single-backend routing for tools-call based on tool name prefix, session management with composite session IDs, and response aggregation.

  • mcp: Added method group classification to the MCP filter. Methods are classified into built-in groups (lifecycle, tool, resource, prompt, notification, logging, sampling, completion, unknown) and the group is added to dynamic metadata when group_metadata_key is configured. User-defined groups can override built-in classifications via MethodConfig.

  • metrics_service: Added batch_size to the Metrics Service to batch metrics into multiple gRPC messages. When positive, metrics are batched with at most batch_size metric families per message to avoid gRPC size limits. If unset or 0, all metrics are sent in one message.

  • network: Added logging info for network ext_proc to filter state.

  • network: Fixed socket address proto translations to preserve network namespace filepath information. Previously, listeners in the non-default namespaces would lose this information when passed through proto translation, causing admin /listeners endpoint (and other consumers) to fail to display the namespace.

  • network: Started populating filter state envoy.network.network_namespace when a connection is accepted on a listener with network_namespace_filepath configured, providing read-only access to the network namespace for filters, access logs, and other components.

  • network_filter: Added geoip network filter to perform geolocation lookups at the network layer and store results in filter state. This enables geolocation data to be used for access logging, routing, and other purposes without requiring HTTP traffic.

  • network_filter: Added support for on_downstream_tls_handshake (see on_downstream_tls_handshake) to the set_filter_state network filter, allowing connection filter state to be populated after the downstream TLS handshake completes (for example, using downstream peer certificate SANs).

  • oauth2: Added support for additional parameters in the OAuth2 token request body via endpoint_params. This allows passing custom parameters required by authorization servers (such as Logto or EntraID) that expect additional body parameters during the token exchange.

  • oauth2: Added support for configuring cookie path in the OAuth2 filter. The path field can now be set for each cookie type to control the scope of OAuth2 cookies.

  • on_demand: Added runtime guard envoy.reloadable_features.on_demand_track_end_stream. When enabled, the on_demand filter tracks downstream end_stream state to support stream recreation with fully read request bodies. Previously, the filter rejected all requests with bodies by checking only for a decoding buffer.

  • otlp_stat_sink: Added support for dropping stats via DropAction during custom metric conversion.

  • otlp_stat_sink: Fixed start_time_unix_nano for exported metrics.

  • overload management: The fixed heap resource monitor can calculate memory pressure as currently allocated memory divided by maximum heap size, providing more accurate and lower pressure values. This can avoid unnecessary load shedding. Enable via envoy.reloadable_features.fixed_heap_use_allocated. The default algorithm (heap_size - pageheap_unmapped - pageheap_free) does not discount free memory in TCMalloc caches.

  • proto_api_scrubber: Added comprehensive metrics and tracing tags to the Proto API Scrubber filter. This includes counters for requests, blocks, and failures, latency histograms, and span tags for scrubbing outcomes.

  • proto_api_scrubber: Added support for message and enum level restrictions in the Proto API Scrubber filter.

  • proto_api_scrubber: Enabled the Proto API Scrubber HTTP filter. This filter allows scrubbing of gRPC request and response payloads based on configured restrictions and is robust to untrusted downstream traffic.

  • proxy_protocol: Added tlv_location configuration field to control where proxy protocol TLV values are stored. When set to FILTER_STATE, TLV values are stored in a single filter state object with key envoy.network.proxy_protocol.tlv, enabling HTTP filters to access TLV values via FilterStateInput without requiring custom HTTP filters to copy metadata. Individual TLV values can be accessed via field access: %FILTER_STATE(envoy.network.proxy_protocol.tlv:FIELD:key)%. Defaults to DYNAMIC_METADATA to maintain existing behavior.

  • quic: Added QUIC protocol option max_sessions_per_event_loop to limit the maximum number of new QUIC sessions created per event loop. The default is 16, preserving the previous hardcoded limit.

  • ratelimit: Added support for substitution formatting in rate limit descriptor values.

  • redis: Added support for OBJECT.

  • redis: Added support for redis_proxy to use separate credentials for each upstream Redis cluster.

  • redis: Added support for hello command.

  • reverse_tunnel: Added required_cluster_name field to validate reverse tunnel initiations against the x-envoy-reverse-tunnel-upstream-cluster-name header. If initiator envoy’s upstream cluster name does not match required_cluster_name, connection is rejected with a 400 Bad Request.

  • router: Added hash_policy to HttpProtocolOptions for cluster-level hash policies.

  • router: Added request_mirror_policies to HttpProtocolOptions for cluster-level request mirroring. Cluster-level policies override route-level policies when both are configured.

  • router: Added retry_policy to HttpProtocolOptions for cluster-level retry policies.

  • router: Added substitution formatting for direct response bodies via body_format in DirectResponseAction.

  • server: Added command-line option --file-flush-min-size-kb <integer> to configure the minimum size in kilobytes for log file flushing.

  • tcp_proxy: Added upstream_connect_mode and max_early_data_bytes to control when upstream connections are established and early data buffering behavior. This enables use cases like extracting TLS certificate information or SNI before establishing upstream connections.

  • tls: Added support for fetching certificates on-demand via SDS in the downstream TLS transport socket using the extension on-demand certificate selector.

  • tls: Enhanced TLS certificate validation failure messages in access logs to include detailed error information. The %DOWNSTREAM_TRANSPORT_FAILURE_REASON% and %UPSTREAM_TRANSPORT_FAILURE_REASON% access log formatters now include specific validation failure reasons such as verify cert failed: SAN matcher, verify cert failed: cert hash and spki, or the OpenSSL verification error string (e.g., certificate has expired, unable to get local issuer certificate). This provides better visibility into TLS handshake failures without requiring debug-level logging.

  • tls_inspector: Added configuration parameter to TLS inspector for maximum acceptable client hello size.

  • tls_inspector: Propagated transport errors from tls_inspector to DownstreamTransportFailureReason in StreamInfo for access logging prior to the TLS handshake.

  • tracing: Added new tracing operation and upstream tracing operation fields in the tracing configuration to set custom operation names for spans with the substitution format specifier.

  • tracing: Added new value field and support for substitution format specifier to extract values from request and response data for custom tags.

  • tracing: Dynatrace sampler parses and propagates trace capture reason in tracestate.

  • udp_sink: Enhanced the UDP sink to support tapped messages larger than 64KB.

  • upstream: Added transport_socket_matcher to clusters. This matcher uses the generic xDS matcher framework to select a named transport socket from transport_socket_matches based on endpoint metadata, locality metadata, and transport socket filter state.

  • upstream: Added an extension to override the upstream bind address Linux network namespace using a shared filter state object.

  • wasm: Added sign foreign function to create cryptographic signatures. See Wasm foreign functions for details.

  • xds: Added runtime guard envoy.reloadable_features.report_load_when_rq_active_is_non_zero. When enabled, LRS continues to send locality_stats reports to the config server even when no requests were issued in the poll cycle.